Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


Cisco Catalyst 2960G - Configuration

Management / network configuration

Configure IP

  • Configure management IP address on VLAN 10
    conf t
    interface vlan10
    ip address
    ip default-gateway

Disable services

  • Disable VTP.
    conf t
    vtp mode off
  • Disable clustering.
    no cluster run
  • Disable vstack.
    no vstack
  • Disable DHCP.
    no service dhcp
  • Disable HTTP/S server.
    conf t
    no ip http server
    no ip http secure-server
  • Disable small services (echo, discard, chargen…).
    no service tcp-small-servers
    no service udp-small-servers
  • Disable finger.
    no ip finger
  • Ignore bootp.
    no ip dhcp bootp ignore
  • Disable DNS lookups.
    no ip domain-lookup
  • Disable Packet Assembler/Disassembler (PAD).
    no service pad
  • Prevent loading config from TFTP service.
    no service config
  • Disable CDP and LLDP on untrusted interfaces.
    conf t
    interface range gigabitEthernet 0/2-48
    no cdp enable
    no lldp transmit
    no lldp receive

Enable services

  • Keepalives for TCP Sessions.
    conf t
    service tcp-keepalives-in
    service tcp-keepalives-out

Authenticated NTP

  • Enable NTP.
    conf t
    ntp authenticate
    ntp authentication-key 150 md5 ticktock
    ntp trusted-key 150
    ntp server key 150
    ntp server key 150
    ntp source vlan10
  • Linux NTP server config example.
    enable auth keys
    keys /etc/ntp.keys
    trustedkey 150
    150 M ticktock
  • Meinberg LANTIME M200 server example.
    Using the web interface.
    - Go to tab 'NTP', then 'General Settings' 
    - Local Trusted Keys: 150
    - Go to 'NTP Symmetric keys', click 'Edit NTP MD5 keys'
    - Add: '#1 MD5 EXAMPLE
            150 MD5 ticktock'
    - Click Save Settings.
  • Verify NTP synchronisation.
    #sh ntp associations
      address         ref clock       st   when   poll reach  delay  offset   disp
    *~    .PZF.            1      7     64    57  1.093   2.708 440.38
    +~    .PPS.            1      4     64   167  1.141   3.547 190.44
     * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
    #sh ntp status
    Clock is synchronized, stratum 2, reference is
    nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
    reference time is D7912CA6.D0C5123E (23:26:30.815 UTC Sat Aug 9 2014)
    clock offset is 2.7081 msec, root delay is 1.09 msec
    root dispersion is 7945.18 msec, peer dispersion is 440.38 msec
    loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000010 s/s
    system poll interval is 64, last update was 289 sec ago.

Deny client access to NTP server

  • Create access lists to deny client access
    ! NTP access control
    ntp access-group query-only 1   ! deny all NTP control queries
    ntp access-group serve 1        ! deny all NTP time and control queries by default
    ntp access-group peer 10        ! permit time sync to configured peer(s)/server(s) only
    ntp access-group serve-only 1   ! deny all sync requests
    ! access control lists (ACLs)
    access-list 1 remark utility ACL to block everything
    access-list 1 deny any
    access-list 10 remark NTP peers/servers we sync to/with
    access-list 10 permit
    access-list 10 permit
    access-list 10 deny any

Configure time zone

  • Configure time zone for the Netherlands.
    conf t
    clock timezone CET 1 0
    clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
  • Verify.
    sh clock detail
    .01:36:47.946 CEST Sun Aug 10 2014
    Time source is NTP
    Summer time starts 02:00:00 CET Sun Mar 30 2014
    Summer time ends 03:00:00 CEST Sun Oct 26 2014

Configure logging timestamps

  • Configure timestamps.
    conf t
    service sequence-numbers
    service timestamps debug datetime localtime msec show-timezone
    service timestamps log datetime localtime msec show-timezone



  • Configure gigabitEthernet 0/1 for VLAN 10 (management).
    interface gigabitEthernet 0/1
    no shut
    switchport mode access
    switchport access vlan 10
    description Management

Native VLAN

Per default the native VLAN is VLAN 1. Change the native VLAN to the unused VLAN 20.

  • Change native VLAN to 20, for all interfaces
    conf t
    interface range gigabitEthernet 0/1-48
    switchport trunk native vlan 20
  • Verify example:
    sh interfaces gigabitEthernet 0/10 trunk
    Port        Mode             Encapsulation  Status        Native vlan
    Gi0/10      auto             802.1q         other         20
    Port        Vlans allowed on trunk
    Gi0/10      none
    Port        Vlans allowed and active in management domain
    Gi0/10      none
    Port        Vlans in spanning tree forwarding state and not pruned
    Gi0/10      none


  • Shutdown VLAN 1.
    conf t
    interface vlan1


  • Shutdown unused ports.
  • No negotiate (DTP)
  • Move them to an unused VLAN 20.
  • Configure the range of ports:
    conf t
    interface range gigabitEthernet 0/2-48
    switchport mode access
    switchport access vlan 20
    switchport nonegotiate
  • Verify.
    #show interfaces status
    Port      Name               Status       Vlan       Duplex  Speed Type
    Gi0/1     Management         connected    10         a-full a-1000 10/100/1000BaseTX
    Gi0/2                        disabled     20           auto   auto 10/100/1000BaseTX
    Gi0/3                        disabled     20           auto   auto 10/100/1000BaseTX
    Gi0/4                        disabled     20           auto   auto 10/100/1000BaseTX
    Gi0/5                        disabled     20           auto   auto 10/100/1000BaseTX
    Gi0/6                        disabled     20           auto   auto 10/100/1000BaseTX
    Gi0/7                        disabled     20           auto   auto 10/100/1000BaseTX
    Gi0/8                        disabled     20           auto   auto 10/100/1000BaseTX
    Gi0/9                        disabled     20           auto   auto 10/100/1000BaseTX

Access and authentication

PBKDF2 enable secret

  • Configure PBKDF2 enable secret
    conf t
    enable algorithm-type sha256 secret test12345

Configure serial console

When synchronous logging of unsolicited messages and debug command output is enabled, unsolicited device output appears on the console or printed after solicited device output appears or is printed. Unsolicited messages and debug command output appears on the console after the prompt for user input is returned. Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt.

  • Configure serial console
    line console 0
    logging sync
    login local

Setup SSH / disable telnet

  • Ensure that you have configured a host and domain name.
    sh run | include hostname
    sh run | include domain-name
  • Generate the RSA Keys
    config t
    crypto key generate rsa
    How many bits in the modulus [512]: 2048
  • Configure vty's, this will also disable telnet.
    line vty 0 15
    transport input ssh
    login local
  • Configure the SSH server
    conf t
    ip ssh version 2
    ip ssh time-out 30
    ip ssh authentication-retries 3

Login banner

  • Configure login banner.
    conf t
    banner login $Access for authorized users only!

Configure users using strong password hashes

Thanks Dennis, for providing the correct syntax!

  • Configure users
    config t
    username example algorithm-type sha256 secret test1234
    do sh run | i example
    username example secret 8 $8$yJq4f/MpacJJ.r$ZeCjRxMd6b3qKDrZ5tozyx8IJSV5B8B./LTbVAljEoA

Login Password Retry Lockout

  • Configure AAA.
    conf t
    aaa new-model
    aaa local authentication attempts max-fail 5
    aaa authentication login default local

EXEC time-out

  • Configure EXEC time-out in 5 minutes.
    conf t
    line con 0
     exec-timeout 5
    line vty 0 15
     exec-timeout 5


Disable logging to console

  • The switch does not check if a user is logged into the console port or a device (for example, a terminal) is attached to it; if console logging is enabled, messages are always sent to the console port (causing CPU load).
    conf t
    #no logging console
  • Or rate limit logging!

Log events to syslog

  • Event log to syslog.
    conf t
    logging <host>
    logging trap <level>

Archive configuration

  • Configure automatic archiving.
    conf t
     path scp://<username>:<password>@<hostname>/<directory>/file-


  • Create access list to prevent access from other hosts:
    ip access-list standard SNMP
      permit host <ip-address monitoring host>
      deny any log
  • Configure SNMP Location & contact:
    snmp-server location <location>
    snmp-server contact <email address>
  • Configure SNMP View:
    snmp-server view MIB-2 mib-2 included
  • Configure SNMP group:
    snmp-server group READONLY v3 priv read MIB-2
  • Create SNMP user:
    snmp-server user <username> READONLY v3 auth sha <passphrase> priv aes 128 <passphrase> access SNMP

To do

  • bpdu guard
  • Enable dhcp snooping
  • Dynamic arp inspection on access ports
cisco_catalyst_2960.txt · Last modified: 2021/10/09 15:14 by